October 31, 2012, 3:28 PM — Using non-secured public Wi-Fi hotspots can leave you vulnerable to identity theft, data theft, snooping, impersonation and malware infection. That's why so many people rely on public virtual private network services, but VPNs are no panacea. Here are five potential gotchas.
1. Vulnerability to Wi-Fi based attacks: Since VPN services can be enabled only after a user is connected to public Wi-Fi and allowed to access the Internet, there is a sufficient window for the hackers to attack public Wi-Fi users. Also, VPN services do not provide protection against Layer 2 attacks, such as ARP poisoning, which can cause denial of service (DoS) for the attacked user, potentially preventing them from connecting to his/her VPN. The prevention can further be exploited by a motivated attacker to force users to disable the use of VPN altogether, leaving users vulnerable to other breaches.
2. Vulnerability to VPN-based attacks: VPN services, although intended to secure all communications, are found to have protocol and implementation level vulnerability. For instance, certain SSL-based VPN services are prone to man-in-the-middle attacks, which can be easily set up by a hacker on a public Wi-Fi network using readily available software and equipment. Also, with the MS-CHAPv2 exploit, demonstrated at the recent DefCon 20 conference, the insecurity of VPN services based on PPTP using MS-CHAPv2 was exposed to the extent that freely available tools and cracking sites are available to crack such services. Since, most VPN service providers use PPTP, the security of hotspot users relying on their services is questionable.
3. Additional cost: Although certain free VPN services are available for public Wi-Fi users, these may not offer expected Internet reliability/quality and often impose time and/or bandwidth limitations. Hence, for quality and reliability, users need to subscribe to paid VPN services, with the costs varying by vendor and the quality and support available. The cost and periodic renewals can be a potential burden for users.